I'm in Whistler! And as I say at the start of this video, I did seriously consider having a week off these videos, but I found a comfy spot by the fire and a cold beer and all was good in the world again. This week has some updates on my Canada travels, a couple of data breaches I loaded during the week, new HIBP stickers and some really screwy password practices at HSBC. I'll still be here in Whistler next week so will pump out one more snowy update before heading home for a hot Christmas. ReferencesThe worker safety HIBP sticker is pretty cool ("The user has worked __ days without having being pwned")HSBC has a rather odd approach...

I'm on countdown to take-off for the next 2 and a bit weeks so I'm going to keep this intro really short because it's sitting between me and a relaxing cold one (as soon as the bags are ready). Heaps of services got pwned, Australia has a screwy set of circumstances (and reactions) around a cyber bill and HIBP had a 5th birthday celebration which resulted in stickers and a really fun live AMA video. That's it for now - next week's update comes from the snow! ReferencesWe've all been scraped (66M people had their data exposed after it was scraped off LinkedIn)My data was included (This will give everyone a good sense of what sort of stuff was...

So today is Have I Been Pwned's (HIBP's) 5th birthday. I started this project out of equal parts community service and curiosity and then somehow, over the last 5 years it's grown into something massive; hundreds of thousands of unique sessions a day, millions of subscribers, working with governments around the world and even fronting up to testify in Congress. I'd love to say I had the foresight to see all this coming but I didn't. Not one bit of it. I just did the things I thought made sense at the time and that was that.As the 5th birthday approached, I asked people what I should do. There were many good suggestions but chief among those which were...

I'm pushing this out a day late so firstly, apologies for the break in what's otherwise a pretty steady cadence. But having said that, as I say at the start of this video I've really been struggling with work / life balance lately. As such, I recorded this Thursday evening then spent most of Friday on the jet ski with my son. We balanced out a lot of work on this trip 😎But check out the scenery! Just stunning. Saw hundreds of turtles, dugongs, mantas and star fish. Just an amazing place. pic.twitter.com/kgWBhK8nrD— Troy Hunt (@troyhunt) November 30, 2018 Getting back to business as usual, I was in Sydney for a day trip during the week, I'm...

It's a no-blog week, but that doesn't mean any less is happening! This week, I've finally wrapped up the Lego Bugatti, got myself into the new iPad, connected my washing machine (I know, I know, I didn't plan it this way!) and then isolated it on a separate IoT network. What a time we live in... Oh - and speaking of times we live in, our data is getting thrown around the place like never before thanks to data aggregators and their constant breaches and frankly, I'm a bit fed up with it. All that and more in this week's update. ReferencesGet yourself some real cheap Pluralsight! (that's $100 off an annual subscription right there - one third!)My new...

Bit of a change of scenery this week; I've gone to the other end of the house whilst invasive palm tree roots are water blasted out from beneath my office window as part of our garden renos. But hey, that's a nice place to be on a day like this 😎Other than the location, it's business as usual. There's been some interesting discussion on biometric this morning, I'm appealing to developers of extensions and add-ons to whitelist themselves when a CSP is present and I'm talking about Google's U2F implementation. That last one in particular has had a heap of traction so appears to have struck a bit of a chord. Checking out Google Analytics, it looks it made it...

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn't be in a position where we're still dependent on passwords and people needing to understand good password management practices in order for them to work properly.This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA...

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). You know what I really don't like? Logging on to Report URI and being greeted with something like this:This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with. Some brief background first as I'll be sharing this post with a bunch of folks for which this may be new: A CSP is a response header or meta tag that allows you to declare a policy for your website declaring what sorts of content can be loaded...

Wow, didn't the passwords discussions go nuts this week! Passwords suck and they must die, they're never going to die, people are using bad ones, people should be able to use bad ones, developers are at fault and my personal favourite in the "how on earth did you reach that conclusion" category, I should actually do something to educate people about passwords rather than blaming them for using bad ones. I've gotta stop laying around doing nothing with my days...But seriously, both posts on passwords this week garnered a heap of input from people agreeing with me, disagreeing with me and arguing with each other. For the most part, this was just fine but what I didn't mention in...

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this:The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. This is when hackers try usernames and password combos leaked in data breaches at other companies, hoping that some users might have reused usernames and passwords across services.The second story was about a number of verified Twitter accounts having been...